Problem in installation of free SSL certificate on Weblogic using keytool

Similar Messages

• Issue in free SSL cert installation on Weblogic using keytool and Keystore

  Link which we used to follow below mentioned steps:-
  http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/ssl.html#1167001
  http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674
  Steps:
  1) To generate keystore and private key and digital cerficate:-
  keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
  2) To generate CSR
  keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
  3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
  4) Same certificate is put into same keystore using following command
  keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
  5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
  (intermediateCa.cer file is downloaded from verisign site)
  keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
  6) After this configuration we used weblogic admin module to configure Keystore and SSL.
  7) For KeyStore tab in weblogic admin module, we have select option “Custom Identity And Custom Trust” provided following details under Identity and Trust columns:-
  Private key alias: mykey2
  PassKeyphrase: webconkeystorepassword
  Location of keystore: location of webconkeystore.jks file on server
  8) For SSL tab in weblogic admin module, we have select option “KeyStores” for “Identity and Trust locations”.
  9) After this we have restarted the server, but it is giving following error on console as shown below:
  <Notice> <WebLogicServer> <BEA-000365> <Server state changed to ADMIN>
  <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING>
  <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias privateKey from the JKS keystore file /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks.>
  <Alert> <Security> <BEA-090716> <Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks under alias privateKey on server AdminServer>
  <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks under alias privateKey on server AdminServer>
  <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks under alias privateKey on server AdminServer.>
  <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
  Please let me know if I am missing anything
  Please help me to checkout and resolve this issue.

  Thankx for ur interest and reply.
  It says meyKey2 is type "keyEntry" not privateKeyEntry..but i hv followed steps which were mentioned.
  To give you details , I have executed listing command and appended its output below:
  Please find output of following command
  keytool -list -v -keystore webconkeystore.jks -storepass webconkeystorepassword >> output.txt
  contents of output.txt is
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 5 entries
  Alias name: intermediateca
  Creation date: Nov 3, 2009
  Entry type: trustedCertEntry
  Owner: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Serial number: 7e3bb784bbc654abd2b8d677ecc394a8
  Valid from: Wed Apr 01 05:30:00 IST 2009 until: Mon Apr 01 05:29:59 IST 2019
  Certificate fingerprints:
       MD5: 71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
       SHA1: BE:D1:D1:4E:25:A7:94:36:83:9E:4B:A7:CD:84:48:96:B7:0A:7F:B0
  Alias name: rootca
  Creation date: Nov 3, 2009
  Entry type: trustedCertEntry
  Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Serial number: 168164a428ca12dfab12f19fb1b93554
  Valid from: Wed Apr 01 05:30:00 IST 2009 until: Sun Apr 01 05:29:59 IST 2029
  Certificate fingerprints:
       MD5: E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
       SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
  Alias name: mykey2
  Creation date: Nov 3, 2009
  Entry type: keyEntry
  Certificate chain length: 3
  Certificate[1]:
  Owner: CN=linuxbox04, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=Tech, O=TechProcess, L=Mumbai, ST=Maharashtra, C=IN
  Issuer: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Serial number: 232d382baddef6a3734984950d3505dc
  Valid from: Tue Nov 03 05:30:00 IST 2009 until: Wed Nov 18 05:29:59 IST 2009
  Certificate fingerprints:
       MD5: F2:28:41:DB:58:F4:5B:F4:9E:14:A4:D1:C6:9A:54:FB
       SHA1: 39:87:00:98:45:D3:30:C9:58:0D:A5:30:73:9B:10:19:B9:77:D0:F7
  Certificate[2]:
  Owner: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Serial number: 7e3bb784bbc654abd2b8d677ecc394a8
  Valid from: Wed Apr 01 05:30:00 IST 2009 until: Mon Apr 01 05:29:59 IST 2019
  Certificate fingerprints:
       MD5: 71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
       SHA1: BE:D1:D1:4E:25:A7:94:36:83:9E:4B:A7:CD:84:48:96:B7:0A:7F:B0
  Certificate[3]:
  Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Serial number: 168164a428ca12dfab12f19fb1b93554
  Valid from: Wed Apr 01 05:30:00 IST 2009 until: Sun Apr 01 05:29:59 IST 2029
  Certificate fingerprints:
       MD5: E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
       SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
  Alias name: mykey1
  Creation date: Nov 3, 2009
  Entry type: trustedCertEntry
  Owner: CN=linuxbox04, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=Tech, O=Techprocess, L=Mumbai, ST=MH, C=IN
  Issuer: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
  Serial number: 353710f6c067ba67988004f2080eb4ac
  Valid from: Tue Nov 03 05:30:00 IST 2009 until: Wed Nov 18 05:29:59 IST 2009
  Certificate fingerprints:
       MD5: 3C:C7:B1:DB:BB:A6:60:34:08:31:88:90:AE:EE:CB:7B
       SHA1: 69:63:20:CB:BC:93:89:88:19:1F:37:C0:A3:EE:E5:50:5A:29:39:DA
  Alias name: mykey
  Creation date: Nov 3, 2009
  Entry type: keyEntry
  Certificate chain length: 1
  Certificate[1]:
  Owner: CN=linuxbox04, OU=Tech, O=Techprocess, L=Mumbai, ST=MH, C=IN
  Issuer: CN=linuxbox04, OU=Tech, O=Techprocess, L=Mumbai, ST=MH, C=IN
  Serial number: 4aefbcd1
  Valid from: Tue Nov 03 10:47:05 IST 2009 until: Mon Feb 01 10:47:05 IST 2010
  Certificate fingerprints:
       MD5: 51:E7:52:7A:AA:1A:F6:E1:72:3C:BE:EF:D7:BF:92:85
       SHA1: F3:7C:D2:18:2C:75:9D:A5:70:28:1F:3C:90:93:B9:E4:1F:57:3B:DC
  Edited by: user1685139 on Nov 4, 2009 3:55 PM

• Godaddy SSL certificate on weblogic

  Hello,
  Recentally I purchased ssl certificate from godaddy, they send me 2 files (mydomain.crt) and (gd_bundle.crt).
  now I don't know how to create .pem file just to complete the installation. below the instruction I did.
  - keytool -genkey -alias client -keyalg RSA -keysize 2048 -keystore identity.jks -storepass password -keypass password
  - keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password
  here when I enter this I get an error ( keytool error: java.io.FileNotFoundException: CertChain.pem (No such file or directory not found). so how to create the CertChain.pem from the files I got from godaddy.
  - keytool -import -file CertChain.pem -alias client -keystore identity.jks -storepass password
  - keytool -import -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password
  Keytool –list –v –keystore <keystore-name> -storepass <keystore-password>

  I found out how to install godaddy ssl certificate on weblogic follow the link below.
  http://coreygilmore.com/blog/2009/06/02/install-a-go-daddy-ssl-certificate-for-use-with-jboss-or-the-bes-5-bas/
  but I still get This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

• Can't access Exchange ActiveSync server - SSL certificates not being used

  When I try to set up my email via Exchange ActiveSync to a corporate server, I am unable to connect. I am using the same exact settings as on an iPhone, where I am able to successfully connect.
  Reading the console log in the iPhone configuration utility, the problem appears to be that the iPad is not using the corporate certificates I have installed to enable SSL access to the Exchange server. These certificates are installed in the exact same way they are on my iPhone, where they work correctly.
  Has anyone else had a similar problem accessing Exchange mail using SSL certificates? Any ideas on how to fix this? Or is this a bug in the iPad software?

  IM having the same problem. iPhone works fine on exchange atvwork but iPad with same settings says cannot connect to exchange server. Have you figured anything out yet?
  Tom

• Accepting runtime-specified SSL certificates in WebLogic 11g

  Hi all!
  In our application we need to call several Web Servervices based on URL's and trusted SSL certificates that are stored in database. Those certificates are self-signed but we cannot add them in the WebLogic truststore (we only want to accept them for those specific web service calls). This is 2-way SSL but our server refuses the remote certificate.
  What is the right way to do this?
  In WebLogic 10g we used to do the following:
      WlsSSLAdapter adapter = new WlsSSLAdapter();
      try {
          // setup for client certificate
          adapter.setKeystore(…);
          adapter.setClientCert(…);
          // setup for accepting the remote certificate
          adapter.setTrustManager(new TrustManager() {
              @Override
              public boolean certificateCallback(X509Certificate[] paramArrayOfX509Certificate, int paramInt) {
                  return paramArrayOfX509Certificate[0] == expectedCertificate;
      } catch (Exception e) {
          throw new RuntimeException(e);
      ((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(weblogic.wsee.jaxrpc.WLStub.SSL_ADAPTER, adapter);However in WebLogic 11g it appears that even if the <tt>TrustManager</tt> is called (which we checked by using a debugger), WebLogic refuses the certificate:
  <validationCallback: validateErr = 16>
  <  cert[0] = Serial number: 9232073310112809071929676484517784211
      Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
      Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
      Not Valid Before:Tue Nov 01 14:33:31 CET 2011
      Not Valid After:Sun Nov 02 14:33:31 CET 2031
      Signature Algorithm:MD5withRSA
      >
  <weblogic user specified trustmanager validation status 16>
  <Certificate chain received from mestoudi2 - 10.142.0.23 was not trusted causing SSL handshake failure.>
  <Validation error = 16>
  <Certificate chain is untrusted>
  <SSLTrustValidator returns: 16>
  <Trust status (16):  CERT_CHAIN_UNTRUSTED>
  <NEW ALERT with Severity: FATAL, Type: 42
      java.lang.Exception: New alert stack
        at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
        at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
        at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  …I think the first difference occurs on the line "+weblogic user specified trustmanager validation status 16+" where in WebLogic 10g the value was 0 instead of 16.
  If we check "Use JSSE SSL" in the WebLogic administration console (which switches the implementation to com.sun.net.ssl instead of com.certicom.tls), the <tt>TrustManager</tt> is not called at all.
  We also tried to configure the <tt>TrustManager</tt> by implementing a <tt>javax.net.ssl.X509TrustManager</tt> that we set on a <tt>weblogic.wsee.connection.transport.https.HttpsTransportInfo</tt> passed to the stub using
  ((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(TRANSPORT_INFO, transportInfo);But it is not called either – however it works for setting up a proxy for example. We are generating the stubs using the clientgen Ant task (<tt>weblogic.wsee.tools.anttasks.ClientGenTask</tt>).
  We are a little bit stuck, any idea of what we should do? Is the WebLogic 11g behavior a regression or is there something else we should configure to get back the old behavior?

  Hello,
  Weblogic has two keystores : identity (if you are doing 2 ways SSL) and trust. you should import your "external" certificate in the "trust" key store.
  look at your server config to know your config : Home >Summary of Servers >AdminServer-->configuration-->keystore
  I suggest that you change the default configuration (not using the demo one),
  then when you know where is yo key store use the command line to add your certificate to trusted store (this is a example) :
  opt/weblogic10_3_3/jdk160_18/jre/bin/keytool -import -noprompt -trustcacerts -alias BLCCertificateAuthority -file cacert2035.pem -keystore /opt/weblogic10_3_3/jdk160_18/jre/lib/security/cacerts
  once your certificated is added to your trust store it should work.
  I hope it will help.

• How to configure SSL certificates on weblogic 10.3.5?

  Hi everybody,
  i' ve got 2 certificates: Server and Intermediate CA. I used java keytool command to import these two certificates into new keystore:
  keytool -import -v -alias server_cert -file certificate.pem -keystore keystore.jks
  keytool -import -v -alias intermediate_ca -file intermediate.pem -keystore keystore.jks
  Then as weblogic 10.3.5 documentation says i need to use ImportPrivateKey utility in order to import private key into keystore, so i use this command:
  java utils.ImportPrivateKey -keystore private.jks -storepass password -keyfile mykey -keyfilepass password -keyfile private.pem -alias private
  and get the following error:
  Exception in thread "main" java.lang.NoClassDefFoundError: utils.ImportPrivateKey
  at gnu.java.lang.MainThread.run(libgcj.so.7rh)
  Caused by: java.lang.ClassNotFoundException: utils.ImportPrivateKey not found in gnu.gcj.runtime.SystemClassLoader{urls=[file:./], parent=gnu.gcj.runtime.ExtensionClassLoader{urls=[], parent=null}}
  at java.net.URLClassLoader.findClass(libgcj.so.7rh)
  at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
  at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
  at gnu.java.lang.MainThread.run(libgcj.so.7rh)
  Any ideas? Thanks.
  Regards,
  Karolis M.

  Hello,
  Weblogic has two keystores : identity (if you are doing 2 ways SSL) and trust. you should import your "external" certificate in the "trust" key store.
  look at your server config to know your config : Home >Summary of Servers >AdminServer-->configuration-->keystore
  I suggest that you change the default configuration (not using the demo one),
  then when you know where is yo key store use the command line to add your certificate to trusted store (this is a example) :
  opt/weblogic10_3_3/jdk160_18/jre/bin/keytool -import -noprompt -trustcacerts -alias BLCCertificateAuthority -file cacert2035.pem -keystore /opt/weblogic10_3_3/jdk160_18/jre/lib/security/cacerts
  once your certificated is added to your trust store it should work.
  I hope it will help.

• Iplanet 6.0 creating a development SSL certificate for internal use

  With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
  Is there a tool to create my own SSL certificate for development work with iplanet 6.0?

  With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
  Is there a tool to create my own SSL certificate for development work with iplanet 6.0?

• Problem trying to read an SSL server socket stream using readByte().

  Hi I'm trying to read an SSL server socket stream using readByte(). I need to use readByte() because my program acts an LDAP proxy (receives LDAP messages from an LDAP client then passes them onto an actual LDAP server. It works fine with normal LDAP data streams but once an SSL data stream is introduced, readByte just hangs! Here is my code.....
  help!!! anyone?... anyone?
  1. SSL Socket is first read into  " InputStream input"
  public void     run()
            Authorization     auth = new Authorization();
            try     {
                 InputStream     input     =     client.getInputStream();
                 while     (true)
                 {     StandLdapCommand command;
                      try
                           command = new StandLdapCommand(input);
                           Authorization     t = command.get_auth();
                           if (t != null )
                                auth = t;
                      catch( SocketException e )
                      {     // If socket error, drop the connection
                           Message.Info( "Client connection closed: " + e );
                           close( e );
                           break;
                      catch( EOFException e )
                      {     // If socket error, drop the connection
                           Message.Info( "Client connection close: " + e );
                           close( e );
                           break;
                      catch( Exception e )
                           //Way too many of these to trace them!
                           Message.Error( "Command not processed due to exception");
                           close( e );
                                          break;
                                          //continue;
                      processor.processBefore(auth,     command);
                                  try
                                    Thread.sleep(40); //yield to other threads
                                  catch(InterruptedException ie) {}
            catch     (Exception e)
                 close(e);
  2 Then data is sent to an intermediate function 
  from this statement in the function above:   command = new StandLdapCommand(input);
       public StandLdapCommand(InputStream     in)     throws IOException
            message     =     LDAPMessage.receive(in);
            analyze();
  Then finally, the read function where it hangs at  "int tag = (int)din.readByte(); "
  public static LDAPMessage receive(InputStream is) throws IOException
      *  LDAP Message Format =
      *      1.  LBER_SEQUENCE                           --  1 byte
      *      2.  Length                                  --  variable length     = 3 + 4 + 5 ....
      *      3.  ID                                      --  variable length
      *      4.  LDAP_REQ_msg                            --  1 byte
      *      5.  Message specific structure              --  variable length
      DataInputStream din = new DataInputStream(is);
         int tag = (int)din.readByte();      // sequence tag// sequence tag

  I suspect you are actually getting an Exception and not tracing the cause properly and then doing a sleep and then getting another Exception. Never ever catch an exception without tracing what it actually is somewhere.
  Also I don't know what the sleep is supposed to be for. You will block in readByte() until something comes in, and that should be enough yielding for anybody. The sleep is just literally a waste of time.

• How to add a certificate to keystore using keytool?

  Hi all,
  I am trying to connect a server from my application which requires a certificate for secure connection.
  I am using Jdeveloper. Should I use command prompt and use keytool command after going to jdk home of jdeveloper and add the certificate?
  What password should I use?
  Sam

  Consult for example:
  http://www.thatsjava.com/java-tech/38248/
  http://www.oracle.com/technology/sample_code/tech/java/codesnippet/ejb/applettoejb/HowTo_Applet_talks_to_Session_bean.html
  http://oraforms.blogspot.com/2009/02/setting-up-jdeveloper-for-httpsssl.html
  NA
  http://nickaiva.blogspot.com

• Problems using 4096 bit SSL certificate with WebLogic Apache 2.2 plug-in

  Hi,
  'm using WebLogic 9.2 MP3 and Apache HTTP Server (version 2.2) Plug-In. For security reasons, I have SSL installed on both Apache and WebLogic. So Apache must communicate with WebLogic via https.
  I get the following error when attempting to access WebLogic via Apache:
  Internet Explorer cannot display the webpage
  These are the last lines in wlproxy log:
  Fri Feb 26 14:08:59 2010 <71212672221392> INFO: SSL is configured
  Fri Feb 26 14:08:59 2010 <71212672221392> SSL Main Context not set. Calling InitSSL
  Fri Feb 26 14:08:59 2010 <71212672221331> INFO: Initializing SSL library
  I've found that the problem is caused by using a 4096 bit intermediate cert. When I include this 4096 bit cert in the file referenced by plugin parameter "TrustedCAFile", it is unable to load it. I've tested 4096 bit certs from a few different certificate authorities, and consistently see this problem, so I know the problem is not related to the specific certificate. If I use a 2048 bit intermediate certificate, everything works perfectly fine.
  Do you know if there are limitations to the certificate length that the plug-in can use?

  Yes 4096 bit Certificates are not supported by the plugin.
  You can use up to 2048 bit.
  There is a Bug which clearly mentions it.
  I dont remember the Bug Number, but an Oracle Support person will be able to tell you.
  Hope this helps.
  Faisal Khan
  Edited by: Faisal Khan on Feb 27, 2010 2:08 PM

• Godaddy SSL certificate installation problems - intermediate certificate not being recognized

  domain = mail.gottfried.org
  Installed both the certificate and the intermediate certificate from godaddy (used the 10.6 mac os x version)
  Response from:
  http://www.sslshopper.com/ssl-checker.html#hostname=mail.gottfried.org
  The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
  When I check in 0000_any_443_.conf
  I see:
  SSLCertificateFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. cert.pem
  SSLCertificateKeyFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. key.pem
  SSLCertificateChainFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem
  I am assuming that the intermediate certificate should be:
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.chain.pem
  When I look at that certicate it is the same as
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.cert.pem
  When I check keychain and exported both the mail.gottfried.org certificate and also the starfield secure certification authority they match what was installed initially (what I downloaded from Godaddy).
  It looks like in the install process the intermediate certificate is not being linked to the ssl certificate and that the ssl certificate is being used for the chain.
  Anyone have any suggestions?
  I have talked to both Godaddy and Apple Enterprise support. Godaddy has nothing past 10.6 instruction wise (though the support person really tried to help). The Apple rep couldnt really help and if I really want help from them I need to talk to integration where costs start at $700....
  Anyone have an SSL provider that worked properly with 10.8  or has really good support for mountain lion server?
  Please let me know.
  Thanks!

  While you still can, get a refund for the certificate, and get a certificate from somebody else, and preferably one that doesn't need an intermediate?  That'll be the easiest.
  If you're not doing ecommerce or otherwise dealing with web browsers and remote clients that you don't have some control over or affiliation with, you can use a private certificate and get equivalent (or arguably better) security.  Running your own certificate authority does mean you'll learn more about certificates, though.
  Here and here are general descriptions of getting certificates and intermediate certificates loaded, and some troubleshooting here and particularly here (TN2232).  I have found exiting Keychain Access to be a necessary step on various versions.  It shouldn't be, but...
  FWIW and depending on your particular DNS setup and whether you're serving multiple web sites, you'll need a multiple-domain certificate.
  Full disclosure: I've chased a few of these cases around for customers, and it can take an hour or three to sort out what the particular vendor of math, err, certificates has implemented, to confirm the particular certificate formats and possibly convert the certificates where necessary, and to generally to sort out the various posted directions and confusions.  (I'm not particularly fond of any of the major math, err, certificate vendors, either.)

• Problem with OAS Instance Name y Host Name to create trial ssl certificate

  Hi, everyone
  I have a problem when creating a trial ssl certificate from Verisign page, affer a live assistance, that page rejected my CSR generated from OAS, saying thay my common name has invalid characters.
  My Oracle Application Server installation name: Instance.HostName is:
  IAS_IND01.ind-internet
  So, Verisign told me this name can't contain "_" or "-" characters for example.
  I need to know if it's possible to change the instance name and if OAS host name changes also if i change server's host name.
  I wouldn't like to reinstall all over again.
  Please help.
  Regards
  David

  Hi,
  No your AS server will not automatic. even if you change your host name.
  If U 'll try to change your host name, be carefull when U 'll try to start you AS instacne
  it ' not start anymore , AS user hosts fill to get full quallified name of your host.
  U 've two choices
  -1 delete your AS, then change your hosts name, then new installtion of AS
  2- If U 've exprience with AS, just breng your AS down, change your hosts name,
  U 'll need to do some changes in your AS, just read admininstrator Guide.
  Cheers,
  Hamdy

• SSL certificates for multiple websites

  I am having problems with websites recognizing the SSL certificate assigned to said site. For example, I have three secure websites; (1) x.abc.com, (2) y.abc.com, and (3) z.abc.com. All are setup for SSL with associated SSL certificates from a signed authority. However, when I browse to said sites, I receive an SSL mismatch error pertaining to the domain name. For whatever reason, two of the sites want to use the main site SSL certificate.
  I have verified that the sites are setup correctly with the proper SSL certificate and restarted web services. Any ideas?
  Thanks!

  You do this by IP Aliasing the machine
  Oh, you were referring to IP Aliases. Sorry. I interpreted your comment as meaning Server Aliases within Apache (where multiple hostnames map to the same virtual host configuration).
  My bad.
  So we're both right - you need multiple IP addresses on your server (either by duplicating the inteface in System Preferences, or through IPAliases.conf) and you need to bind one SSL site to each IP address (although you could also use different port numbers on the same IP address in Apache).
  If you're using NAT you still need multiple public IP addresses that forward to each of the IP Aliases (or virtual hosts).

• Sequence tag error while importing the SSL certificate into ".keystore" fil

  I have created the ".keystore " file successfully and also imported the "root.cer".
  but while importing the SSL certificate it says like
  "keytool error: java.security.cert.CertificateException: IOException: Sequence ta
  g error" (I got the certificate from Verisign)
  How to resolve this Error?
  can anyone help me?
  mail to:: [email protected]
  Thanks in Advance

  Hi,
  I resolved this error by making it sure that there are no extra spaces or unwanted caracter copied while copying the certificate response from the CA. Make sure you are copying the certificate response properly. In my case, some extra space was getting copied so after re-copyinf it properly, it worked.

• Inccorect Encrypted block when inserting SSL certificate

  Generated new SSL certificate for Weblogic Serer 6.1, inserted Server certificate, the Root Certificate Authority (Chain File), the Private key file but is getting the following error - can anyone assist?
  weblogic.security.AuthenticationException: Incorrect encrypted block possibly incorrect SSLServerCertificateChainFileName set for this server certificate at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:291)...

  This might be caused by an invalid/not specified private key password.
  Pavel.
  bibi <[email protected]> wrote:
  Generated new SSL certificate for Weblogic Serer 6.1, inserted Server
  certificate, the Root Certificate Authority (Chain File), the Private
  key file but is getting the following error - can anyone assist?
  weblogic.security.AuthenticationException: Incorrect encrypted block
  possibly incorrect SSLServerCertificateChainFileName set for this server
  certificate at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:291)...